[Snort-sigs] Call for Spyware

Matthew Jonkman matt at ...2436...
Wed Aug 18 08:49:29 EDT 2004

At the bleedingsnort.com project we've been a bit obsessed with spyware. 
The sigs we have up have been doing a great job of helping us identify 
and get cleaned hundreds of infected pc's. And we're hearing similar 
success from many others.

We don't want to let those rules stagnate though. The spyware is always 
changing, and I'm sure the distributors of spyware have seen our efforts 
and are making changes to adjust and not be seen by existing rules. Many 
of the rules are very easy to circumvent by changing a url or script name.

So this is a call for spyware. If you have details, infected systems, 
and/or preferably pcap's of new and/or undetected spyware please send it 
in. You can send to me direct or to bleeding at ...2737... (Please 
avoid sending those to this list, that's a bit off-topic)

It's been absolutely shocking the audacity of these advertisers and 
information collectors. Getting this dark little secret detected and out 
in the open is very much to all our benefit.

In a rather funny related story, 180solutions (a spyware maker) is suing 
a partner for using IE exploits to get their stuff installed. That's an 
interesting development.

Please send in your traffic dumps and spyware signatures. We must keep 
this up to date.



More information about the Snort-sigs mailing list